Skip to main content

NSA list: what you need to know about the top vulnerabilities currently targeted by Chinese hackers Part 1

NSA list: what you need to know about the top vulnerabilities currently targeted by Chinese hackers Part 1

Simon Roe, Product Manager Outpost24
This week NSA published a list of the top 25 vulnerabilities that Chinese hackers are actively exploiting, and unsurprisingly the list included some of the most prominent CVEs that we’ve covered in our previous risk based vulnerability management blogs.
NSA list

In part 1 we will cover the first 10 entries on the NSA list

No 1. Pulse Secure VPN server vulnerability

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2019-11510 An unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords 10.00 38.46 2020-10-17

We first reported this vulnerability as a serious risk to organizations back in our "Fix now: High risk vulnerabilities at large, April 2020" blog. At that point we had given the likelihood score a rating of 38.46 and, this vulnerability had been trending at the maximum rating since November 2019. At the time only proof of concept exploits existed but we have seen this change to in the wild exploitation, and of course NSA’s no 1. on the list.

No 2. BigIP traffic management RCE

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-5902 Remote code execution in the TMUI 9.8 38.46 2020-10-13

We reported on this one in our Previous "Fix now: High risk vulnerabilities at large, October" blog. Looking at the Farsight rating, this trended around the low 10.00’s from the day after initial release (1st July) through to the 12th July when it was given the full 38.46 risk score where, for many obvious reasons, it has remained until today.

No 3. Citrix ADC directory traversal

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2019-19781 Directory traversal issue which can lead to an RCE 9.8 38.46 2020-10-18

We wrote about this one back in our first Farsight vulnerability blog in April. At this time the vulnerabilities likelihood was 29.15 and we reported the presence of PoC exploit code. Catapult 6 months ahead and we see this on NSA’s hacker list. Once again this demonstrates the power of Farsight in providing an early warning and prediction of exploitation.

No 4., No 5 & No 6 More Citrix ADC

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-8193 Improper access control allows unauthenticated access to certain URL endpoints 6.5 38.46 2020-07-14
CVE-2020-8195 Improper input validation leading to limited information disclosure 6.5 9.14 2020-07-14
CVE-2020-8196 Improper access control leading to limited information disclosure 4.3 8.92 2020-07-14

All three of these were released in July with lower likelihood scores. Of the three we have only seen CVE-0202-8193 reach the highest likelihood due to exploitation in the wild. However, these three vulnerabilities together provide a perfect storm for use in web shell malware.

No 7. Bluekeep

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2019-0708 An RCE exists in remote desktop services of windows operating systems 9.8 38.46 2020-10-14

We discussed Bluekeep in one of our introductory Farsight blogs demonstrating the power of risk based vulnerability management. In the discussion of Bluekeep we highlighted that Farsight would have rated the vulnerability a 38.46 likelihood of exploitation as early as June 2019. Over 12 months later we continue to see this being exploited in the wild.

No 8. MobileIron MDM Remote code execution

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-15505 An RCE vulnerability allowing remote threat actors to execute arbitrary code and take control of remote company servers 9.8 38.46 2020-09-17

This is the first time we have raised attention with this vulnerability here in our blog. First reported by NIST on 6th July. On the 7th this vulnerability was trending with a Farsight likelihood of 9.54 times more likely to be exploited. It hovered around this score through July until 30th September when the score jumped to 38.46 undoubtedly as the first compromises were discovered. Patch and remediation information can be found here.

No 9. SIGRed

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-1350 A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests 10.0 38.46 2020-10-09

We covered SIGRed in our July part 3 blog where we noted it had already received the highest likelihood rating possible. When it was first announced, Farsight rated this as 9.54 times more likely than the average vulnerability to be exploited, jumping to 38.46 by the 18th July.

No 10. Netlogon / Zerologon

CVE Description CVSSv3 Score Farsight Rating Last seen (Farsight)
CVE-2020-1472 An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). 10.0 38.46 2020-10-19

Another vulnerability covered in our Farsight blogs, this time in our 2nd September blog. At the time it was reported as a 38.46 likelihood and looking at the Farsight prediction it received this rating around 21st September after hovering around 8.51 likelihood of exploitation for the period August through 20th September.

Wrap up

There you have it. Of the 10 / 25 of the NSA vulnerabilities covered we had specifically written about 6 of them in our blogs providing our customers with insights into the Farsight likelihood risk score as well as timely information on remediation and patch. Of the other 4, all had coverage in Farsight and were trending above the average (likelihood of 1) well in advance of any real world exploitation. A pattern we’d expect to see in the remaining 15 vulnerabilities on the NSA top 25 target list.

Our customers who have switched to Outpost24 Farsight as a driving force for their Risk based vulnerability management can rest knowing that it captures and alerts the most risky (and targeted) vulnerabilities, often ahead of any real world mass usage by threat actors. And whilst moving to likelihood could be seen as a leap of faith for those organizations who have been used to relying on CVSS. It definitely provides a peace of mind knowing you are targeting and addressing the most risky, based on real world threat intelligence and vulnerabilities existing in your infrastructure.

Next time we shall consider the remaining 15 vulnerabilities on NSA’s list.


Looking for anything in particular?

Type your search word here